-
Cribl Edge (standalone): Windows Metrics - Splunk, do not result in actionable information
I am new with Cribl. Cribl Edge (standalone, installed on Windows 10 laptop for test/evaluation): Windows Metrics do not return actionable information when forwarding to a standalone Splunk Enterprise instance. What am I doing wrong or what I am missing here? Windows Eventlog cribl-source is correctly received in json. But…
-
Unable to perform Destination test with Splunk HEC
I am new to cribl and trying to setup Splunk HEC destination from cribl sanbox stream instance. I have provisioned a free splunk cloud instance and setup HEC. While I can send data via: curl -k "https://<host>:8088/services/collector" -H "Authorization: Splunk 38aa4a38-8fd5-4faa-afc4-9b3533ac39c7" -d "{"event": "Hello,…
-
Best way to repopulate S3 data into Splunk?
We are wanting to use Cribl to repopulate cloud trail logs from S3 into Splunk on-demand for review/audit/analysis purposes. Ideally, we would be able to request from within Splunk, but we could also query within Cribl to pull the data if necessary. Are there any best practices or use-cases that you can provide?
-
log and sourcetype reporting in splunk
I want to report on logs ingested with Cribl in the Splunk environment. The logs will remain stored on the Cribl side, but the reporting will be done in Splunk. How can I achieve this? The logs are NOT forwarded to Splunk. thank you in advance for your answers
-
Where is the equivalent setting to Splunk's Source type > Select Source Type > Structured > _json
Hi, I'm trying to setup a Splunk HEC within Cribl Stream, and I'm encountering the error "malformed HEC event." I've encountered that error when setting up HECs in Splunk, and to correct the problem I have to go to Source type > Select Source Type > Structured > _json when editing the HEC's settings. I've been looking and…
-
AWS SQS input not receiving/sending all region messages to Splunk
I recently set up our SQS amazon queue in cribl. Events are forwarding to splunk, however when compared to the pre existing aws logs in Splunk from the Heavyforwarder TA, I noticed we are only pulling in events from only one region via cribl oppose to the 20 actually sending events and being received through the Splunk TA.…
-
What does an "Unsupported op-code 249" mean?
Why do we see this message when using Cribl v4.4.0 with S2S V4 and Splunk forwarder version 9.1.x: { "time": "2023-12-19T15:16:15.549Z", "cid": "w0", "channel": "input:in_splunk_tcp", "level": "error", "message": "closed connection", "src": "10.10.10.10:62453", "error": { "message": "Unsupported op-code 249.", "stack":…
-
Ldap queries for Active Directory Info
Can cribl stream carry out ldap queries to Microsoft AD and then save the AD information in a lookup table or something similar? I want to automate fetching AD information from AD servers and then feeding it to a SIEM like Splunk or Elastic.
-
Adding Splunk Metadata to events
I have an Event with no Splunk Metadata value within the events and i am trying to add new fields such as host, index,source and sourcetype . custom fields and i tried using an eval but no luck, how do i go about this ?
-
Is it possible to disable certificate validation when connecting a Splunk Search Collector?
Hello, we are triying to setup a Splunk Search collector, against an on-prem splunk with a self signed certificate. Is it possible to disable certificate validation?
